First Data Merchant Services Corp. v. SecurityMetrics, Inc.,
2014 WL 7409537, No. RDB–12–2568 (D. Md. Dec. 30, 2014)
Earlier
ruling excluding false endorsement survey.
Even
earlier ruling allowing false endorsement theory to proceed.
This “contentious” case involved a soured business
relationship and an earlier Utah settlement; this new filing alleged
post-settlement misconduct by SecurityMetrics. After this decision,
settlement-related claims and tortious interference claims remained, but the
false advertising/trademark aspects were gone.
Background: issuers issue payment cards to consumers and collects
from them. When a consumer uses a card
to pay a merchant, an “acquirer” obtains authorization for the transaction from
the consumer’s issuer and then clears and settles the transaction so that the
merchant gets paid and the consumer’s account gets charged. Some payment cards have open networks that
allow separate entities to operate as issuers and acquirers, in which case “processors”
facilitate communication and settlement.
First Data operates as an acquirer and payment processor. Sometimes First Data stands in the shoes of
other acquirers and then deals with the acquirers’ merchants directly.
PCI is an acronym for “Payment Card Industry.” The PCI
Security Standards Council was formed in 2006 by the major credit card brands
and developed the PCI Data Security Standard, adopted by the major credit card
brands as their data security compliance requirement for all merchants. While the PCI standard is universal, various
payment card brands have different requirements for showing compliance. For the
lower-volume merchants at issue here, they can use a self-assessment
questionnaire, unless they sell over the internet, which requires vulnerability
scans of their computer systems that must be approved by PCI Council-approved
scanning vendors (ASV). SecurityMetrics is certified by the PCI Council as an
ASV, but First Data is not.
First Data processed credit and debit card transactions for
merchants and independent sales organizations (ISOs). SecurityMetrics provided
compliance services to some merchants for whom First Data provides processing
services. Where First Data provided
acquirer services (~820,000 merchants), it instituted a PCI Standard compliance
reporting program. The parties worked together for several years, with
SecurityMetrics as First Data’s preferred vendor for validating compliance with
PCI Standards. First Data then began offering PCI Rapid Comply, in competition
with the services offered by SecurityMetrics.
SecurityMetrics alleged various unfair practices in connection with
First Data’s rollout of PCI Rapid Comply, including representations that First
Data merchants who used other compliance verification vendors would have to pay
for those services along with the cost of PCI Rapid Comply. Utah litigation resulted in a settlement; First
Data then decided to wind down PCI Rapid Comply and partnered with Trustwave, a
third-party PCI compliance vendor.
SecurityMetrics’ false advertising claims were based on
First Data’s statements that if its clients used a third-party vendor for compliance
services, they’d have to contract with and pay that vendor directly; that they’d
still owe the Compliance Service Fee; and that if First Data’s PCI compliance
services were contractually available to clients, they’d be charged for those
services even if they used a third-party vendor. However, First Data allegedly actually
provided refunds to merchants who used third-party vendors, covering the fee.
The court first determined that the statement at issue was
not literally false. First Data charged
a standard fee but in some cases provided a refund. Thus, the statements weren’t false, but
omitted that a refund might be available.
That was at best misleading, and there was no extrinsic evidence of
actual consumer confusion. Thus, summary
judgment for First Data was appropriate.
The court commented that this same statement could go to a jury for a literal
falsity determination in other circumstances: if First Data never charged the compliance fee, a
jury would have to decide whether the statements were false. But no reasonable jury could conclude that
the statement was false on its face given the actual facts.
False endorsement: SecurityMetrics argued that the name PCI
Rapid Comply falsely suggested endorsement by the PCI Security Standards
Council, and that First Data’s statement that “Claims that certain services
offered by FDMS are not ‘approved’ by the PCI Security Council or that FDMS is
selling PCI compliance products it is not authorized to sell are not true.” But without survey evidence about the name,
there wasn’t enough evidence to proceed on that theory. The acronym alone didn’t unambiguously imply endorsement,
so SecurityMetrics needed extrinsic evidence.
(Note application of §43(a)(1)(B) standard to what’s generally a §43(a)(1)(A)
theory, though this is arguably appropriate given that plaintiff isn’t claiming
that the defendant is getting a false endorsement from the plaintiff, but
rather from a third party.)
Likewise, SecurityMetrics argued that the “not true”
statement was clearly false. First Data argued that the terms “approved” and
“authorized” were ambiguous and there was no evidence that Rapid Comply was not
“approved” or “authorized” by the PCI Council, especially given that the
service operated for two years without any signs of disapproval from the PCI
Council. The court found the statement “inherently
ambiguous.” First, it referred to “certain
services,” which lacked specificity, though presumably referred to Rapid
Comply. (In context, that ambiguity
seems to drop out.) Second, the
statement could be interpreted in various ways.
One meaning would be that the services are simply not authorized or
approved because such authorizations and approvals are not made by the PCI
Council. That wasn’t literally false and there was no extrinsic evidence of
deception.
SecurityMetrics’ counterclaim for cancellation of First Data’s
registered trademark in PCI Rapid Comply also failed for similar reasons, as
did the Utah Truth in Advertising Claim.
No comments:
Post a Comment